[Bug 595415] Re: Curl (openssl) fails to open some https URLs with "illegal parameter" error

Stefan Kriwanek 595415 at bugs.launchpad.net
Wed Mar 14 07:56:05 UTC 2012 

I have got another curl example for reproduction of the bug. It only
fails if curl is provided with a cookies file, which I can only provide
on request (want to keep it private as possible). This example did work
well in Natty (no idea about Oneiric)

The line is (no, you can not remove the long data part):

/usr/bin/curl -b/home/stefan/.geocookies -c/home/stefan/.geocookies
-d'__VIEWSTATE=/wEPDwUKLTIxMjA4MDI5OA8WAh4OTG9naW4uUmVkaXJlY3RlFgJmD2QWBGYPZBYEAgoPFgIeBFRleHQFYjxtZXRhIG5hbWU9IkNvcHlyaWdodCIgY29udGVudD0iQ29weXJpZ2h0IChjKSAyMDAwLTIwMTIgR3JvdW5kc3BlYWssIEluYy4gQWxsIFJpZ2h0cyBSZXNlcnZlZC4iIC8%2BZAILDxYCHwEFRzwhLS0gQ29weXJpZ2h0IChjKSAyMDAwLTIwMTIgR3JvdW5kc3BlYWssIEluYy4gQWxsIFJpZ2h0cyBSZXNlcnZlZC4gLS0%2BZAIBD2QWCAIKDxYCHgdWaXNpYmxlZ2QCKg8PZBYCHgVjbGFzcwUHc3Bhbi0yMGQCKw8WAh8DBQtzcGFuLTQgbGFzdBYCAgEPZBYCAgEPDxYCHwEFggQ8aWZyYW1lIHR5cGU9ImlmcmFtZSIgc3JjPSJodHRwczovL2Fkcy5ncm91bmRzcGVhay5jb20vYS5hc3B4P1pvbmVJRD05JlRhc2s9R2V0JlNpdGVJRD0xJlg9Jzc0NTg4NDJkZmIxZjQ1NGE5MGYwZmUyNGZmZTRlZTllJyIgd2lkdGg9IjEyMCIgaGVpZ2h0PSIyNDAiIE1hcmdpbndpZHRoPSIwIiBNYXJnaW5oZWlnaHQ9IjAiIEhzcGFjZT0iMCIgVnNwYWNlPSIwIiBGcmFtZWJvcmRlcj0iMCIgU2Nyb2xsaW5nPSJubyIgc3R5bGU9IndpZHRoOjEyMHB4O0hlaWdodDoyNDBweDsiPjxhIGhyZWY9Imh0dHBzOi8vYWRzLmdyb3VuZHNwZWFrLmNvbS9hLmFzcHg/Wm9uZUlEPTkmVGFzaz1DbGljayY7TW9kZT1IVE1MJlNpdGVJRD0xIiB0YXJnZXQ9Il9ibGFuayI%2BPGltZyBzcmM9Imh0dHBzOi8vYWRzLmdyb3VuZHNwZWFrLmNvbS9hLmFzcHg/Wm9uZUlEPTkmVGFzaz1HZXQmTW9kZT1IVE1MJlNpdGVJRD0xIiB3aWR0aD0iMTIwIiBoZWlnaHQ9IjI0MCIgYm9yZGVyPSIwIiBhbHQ9IiIgLz48L2E%2BPC9pZnJhbWU%2BZGQCLA9kFgQCAQ8WAh8BBQdFbmdsaXNoZAIDDxYCHgtfIUl0ZW1Db3VudAIPFh5mD2QWAgIBDw8WCB4PQ29tbWFuZEFyZ3VtZW50BQVlbi1VUx4LQ29tbWFuZE5hbWUFDVNldFRlbXBMb2NhbGUfAQUHRW5nbGlzaB4QQ2F1c2VzVmFsaWRhdGlvbmhkZAIBD2QWAgIBDw8WCB8FBQVkZS1ERR8GBQ1TZXRUZW1wTG9jYWxlHwEFB0RldXRzY2gfB2hkZAICD2QWAgIBDw8WCB8FBQVmci1GUh8GBQ1TZXRUZW1wTG9jYWxlHwEFCUZyYW7Dp2Fpcx8HaGRkAgMPZBYCAgEPDxYIHwUFBXB0LVBUHwYFDVNldFRlbXBMb2NhbGUfAQUKUG9ydHVndcOqcx8HaGRkAgQPZBYCAgEPDxYIHwUFBWNzLUNaHwYFDVNldFRlbXBMb2NhbGUfAQUJxIxlxaF0aW5hHwdoZGQCBQ9kFgICAQ8PFggfBQUFc3YtU0UfBgUNU2V0VGVtcExvY2FsZR8BBQdTdmVuc2thHwdoZGQCBg9kFgICAQ8PFggfBQUFbmwtTkwfBgUNU2V0VGVtcExvY2FsZR8BBQpOZWRlcmxhbmRzHwdoZGQCBw9kFgICAQ8PFggfBQUFY2EtRVMfBgUNU2V0VGVtcExvY2FsZR8BBQdDYXRhbMOgHwdoZGQCCA9kFgICAQ8PFggfBQUFcGwtUEwfBgUNU2V0VGVtcExvY2FsZR8BBQZQb2xza2kfB2hkZAIJD2QWAgIBDw8WCB8FBQVldC1FRR8GBQ1TZXRUZW1wTG9jYWxlHwEFBUVlc3RpHwdoZGQCCg9kFgICAQ8PFggfBQUFbmItTk8fBgUNU2V0VGVtcExvY2FsZR8BBQ5Ob3JzaywgQm9rbcOlbB8HaGRkAgsPZBYCAgEPDxYIHwUFBWtvLUtSHwYFDVNldFRlbXBMb2NhbGUfAQUJ7ZWc6rWt7Ja0HwdoZGQCDA9kFgICAQ8PFggfBQUFZXMtRVMfBgUNU2V0VGVtcExvY2FsZR8BBQhFc3Bhw7FvbB8HaGRkAg0PZBYCAgEPDxYIHwUFBWh1LUhVHwYFDVNldFRlbXBMb2NhbGUfAQUGTWFneWFyHwdoZGQCDg9kFgICAQ8PFggfBQUFcm8tUk8fBgUNU2V0VGVtcExvY2FsZR8BBQhSb23Dom7Egx8HaGRkGAEFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYBBR5jdGwwMCRDb250ZW50Qm9keSRjYlJlbWVtYmVyTWUGzXazrzLQi84q6aT2dompupv8rw=='
-L 'https://www.geocaching.com/login/default.aspx' -v

Without an additional --sslv3 the output is

* About to connect() to www.geocaching.com port 443 (#0)
*   Trying 66.150.167.189... connected
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using RC4-SHA
* Server certificate:
* 	 subject: O=www.geocaching.com; OU=Go to https://www.thawte.com/repository/index.html; OU=Thawte SSL123 certificate; OU=Domain Validated; CN=www.geocaching.com
* 	 start date: 2010-06-02 00:00:00 GMT
* 	 expire date: 2012-06-15 23:59:59 GMT
* 	 common name: www.geocaching.com (matched)
* 	 issuer: C=ZA; ST=Western Cape; L=Cape Town; O=Thawte Consulting cc; OU=Certification Services Division; CN=Thawte Server CA; emailAddress=server-certs at thawte.com
* 	 SSL certificate verify ok.
> POST /login/default.aspx HTTP/1.1
> User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.0g zlib/1.2.3.4 libidn/1.23 librtmp/2.3
> Host: www.geocaching.com
> Accept: */*
> Cookie: ASP.NET_SessionId=v3crkvc0a4nkwz3hymjokqri
> Content-Length: 2482
> Content-Type: application/x-www-form-urlencoded
> Expect: 100-continue
> 
< HTTP/1.1 100 Continue
< HTTP/1.1 302 Found
< Cache-Control: no-cache
< Pragma: no-cache,no-cache
< Content-Length: 136
< Content-Type: text/html; charset=utf-8
< Expires: -1
< Location: /login/default.aspx
< Server: Microsoft-IIS/7.5
< X-AspNet-Version: 4.0.30319
< Date: Wed, 14 Mar 2012 07:46:41 GMT
* HTTP error before end of send, stop sending
< 
* Closing connection #0
* SSLv3, TLS alert, Client hello (1):
* Issue another request to this URL: 'https://www.geocaching.com/login/default.aspx'
* Violate RFC 2616/10.3.3 and switch from POST to GET
* About to connect() to www.geocaching.com port 443 (#0)
*   Trying 66.150.167.189... connected
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSL re-using session ID
* SSLv3, TLS handshake, Client hello (1):
* Unknown SSL protocol error in connection to www.geocaching.com:443 
* Closing connection #0

Then, curl seems to wait for some 30sec and then exit with

curl: (35) Unknown SSL protocol error in connection to
www.geocaching.com:443

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/595415

Title:
  Curl (openssl) fails to open some https URLs with "illegal parameter"
  error

Status in “curl” package in Ubuntu:
  Incomplete
Status in “openssl” package in Ubuntu:
  Confirmed

Bug description:
  Binary package hint: curl

  Some HTTPS urls cause curl to fail with an "illegal parameter" error.
  This error goes away if you manually specify "--sslv3"

  e.g.

  $ curl --version
  curl 7.19.7 (x86_64-pc-linux-gnu) libcurl/7.19.7 OpenSSL/0.9.8k zlib/1.2.3.3 libidn/1.15
  Protocols: tftp ftp telnet dict ldap ldaps http file https ftps
  Features: GSS-Negotiate IDN IPv6 Largefile NTLM SSL libz

  $ curl  https://www.orange.sk/
  curl: (35) error:14077417:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert illegal parameter

  $ curl  --sslv3 https://www.orange.sk/
  <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="sk" lang="sk">
  ...etc

  This is particularly problematic if using an application which uses
  libcurl, but does not allow setting of the --sslv3 flag, e.g. nagios's
  check_http utility.

  This redhat bug https://bugzilla.redhat.com/show_bug.cgi?id=525496
  appears to describe the same problem, and has a patch

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/curl/+bug/595415/+subscriptions

More information about the foundations-bugs mailing list